Devasy · Priya-0217 · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025 · coderabbitai
@@ -0,0 +1,70 @@
+# Security Policy
+
+## 🛡️ Supported Versions
+
+We are committed to addressing security vulnerabilities in a timely manner. Security updates are provided for the following versions of SplitWiser:
+
++| 1.0.x   | ✅ Supported |
++| < 1.0   | ❌ Not supported |
-+| 1.0.x   | ✅ Supported |
-+| < 1.0   | ❌ Not supported |
+| Version | Support |
+|--------:|:---------|
+| 1.0.x   | ✅ Supported |
+| < 1.0   | ❌ Not supported |
-+| 1.0.x   | ✅ Supported |
-+| < 1.0   | ❌ Not supported |
+| Version | Support |
+|--------:|:---------|
+| 1.0.x   | ✅ Supported |
+| < 1.0   | ❌ Not supported |
+## 🚨 Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or comments.**
+
+The security and privacy of our users are our highest priority. We encourage you to report any potential vulnerabilities directly and privately to our maintainers.
++### ✅ Safe Harbor
++If you make a good-faith effort to comply with this policy while researching and reporting, we will not pursue or support legal action against you. This includes accidental privacy violations or service disruptions that are promptly reported and minimized.
++
++### 🔬 Testing Guidelines
++- Do not perform denial-of-service, spam, or brute-force attacks.
++- Do not access, modify, or exfiltrate data that does not belong to you.
++- No social engineering, phishing, or physical attacks.
++- Respect rate limits; use test accounts and sample data where possible.
++
++### Out of Scope (examples)
++- Reports without a clear security impact (e.g., descriptive error messages).
++- Clickjacking on pages with no sensitive actions.
++- SPF/DMARC/DKIM configuration suggestions without exploitability.
++- Use of outdated libraries without a proven exploit path.
+
+**How to Report:**
+
+1.  **Email Us:** Please send details to **[[email protected]](mailto:[email protected])**.
+2.  **Describe the Issue:** To help us triage the issue quickly, please include:
+    -   The type of vulnerability (e.g., "SQL Injection", "XSS").
+    -   The full URL or code component where the vulnerability was found.
+    -   A detailed description of the steps to reproduce the issue.
+    -   Any proof-of-concept code, screenshots, or requests that demonstrate the exploit.
+    -   The potential impact of the vulnerability.
+
+**What to Expect:**
+
+-   **Within 48 hours (business days):** Acknowledge receipt of your report.
+-   We will work with you to understand and validate the reported issue.
+-   We will keep you informed as we work on a fix and plan its release.
+-   We will notify you when the vulnerability is resolved and will happily credit you for your discovery (unless you wish to remain anonymous).
+
+-   +### ⏱️ Target timelines by severity
++| Severity  | Target fix/release window |
++|-----------|---------------------------|
++| Critical  | 7–14 days                 |
++| High      | ≤ 30 days                 |
++| Medium    | ≤ 60 days                 |
++| Low       | ≤ 90 days                 |
+
++These are targets, not guarantees; complex issues or upstream dependencies may require coordination.
+
-   +### ⏱️ Target timelines by severity
-+| Severity  | Target fix/release window |
-+|-----------|---------------------------|
-+| Critical  | 7–14 days                 |
-+| High      | ≤ 30 days                 |
-+| Medium    | ≤ 60 days                 |
-+| Low       | ≤ 90 days                 |
-
-+These are targets, not guarantees; complex issues or upstream dependencies may require coordination.
+### ⏱️ Target timelines by severity
+| Severity | Target fix/release window |
+|---------|----------------------------|
+| Critical | 7–14 days |
+| High     | ≤ 30 days |
+| Medium   | ≤ 60 days |
+| Low      | ≤ 90 days |
+
+Note: These are targets, not guarantees; complex issues or upstream dependencies may require coordination.
-   +### ⏱️ Target timelines by severity
-+| Severity  | Target fix/release window |
-+|-----------|---------------------------|
-+| Critical  | 7–14 days                 |
-+| High      | ≤ 30 days                 |
-+| Medium    | ≤ 60 days                 |
-+| Low       | ≤ 90 days                 |
-
-+These are targets, not guarantees; complex issues or upstream dependencies may require coordination.
+### ⏱️ Target timelines by severity
+| Severity | Target fix/release window |
+|---------|----------------------------|
+| Critical | 7–14 days |
+| High     | ≤ 30 days |
+| Medium   | ≤ 60 days |
+| Low      | ≤ 90 days |
+
+Note: These are targets, not guarantees; complex issues or upstream dependencies may require coordination.
+We deeply appreciate any effort to disclose vulnerabilities responsibly. Thank you for helping us keep SplitWiser and its users safe.
+
+## 🔓 Disclosure Policy
+
+We follow a **coordinated disclosure** process:
+1.  The vulnerability is reported and privately confirmed.
+2.  A fix is developed and tested.
+3.  The fix is deployed to all supported versions.
+4.  A security advisory is published on GitHub, detailing the vulnerability and crediting the researcher.
+
+This process typically takes **30-90 days** from report to public disclosure to ensure users are protected while a fix is developed.
+
+## 🙏 Acknowledgments
+
+We would like to thank the following security researchers who have helped keep SplitWiser safe